Downright malicious browser plugins and add-ons are obviously a massive security risk, but make no mistake unpatched or outdated extensions are just as big a headache. For this reason, Mozilla has a blocklist service to deal with plugins that jeopardize the security, stability, or performance of Firefox. The latest addition to the Firefox blocklist happens to be the ubiquitous Java plugin. Hit the jump for more.

Google earlier this week updated the Chrome Stable channel to 16.0.912.77 for Windows, Mac, Linux and Chrome Frame, patching four privately reported vulnerabilities in its browser. How come only four, you ask, when the headline clearly mentions five? Actually the fifth was patched a couple of weeks back, but Google mistakenly failed to include it in the release notes. Hit the jump for more.

A computer science student at Stanford University has discovered a hole in Adobe Flash that could be used by an attacker to furtively enable the victim’s camera and microphone. The vulnerability is not in Flash itself, but the Adobe Flash Settings Manager page. More details about the vulnerability can be found after the jump.

Perhaps motivated by Duke Nukem Forever shipping after a decade-and-a-half of development and delays, Microsoft decided to finally patch a vulnerability dating back to the 1990s. Included in yesterday's Patch Tuesday bulletin bonanza is a little nugget listed as CVE-2011-1871, which according to ComputerWorld.com is a fix for the dreaded 'Ping of Death,' or at least it was dreaded some two decades ago.

Adobe has patched an “important’ vulnerability in the recently released Flash Player 10.3.181.16 and all previous versions for Windows, Macintosh, Linux and Solaris, the San Jose-based company said on Sunday. It has issued a security bulletin (APSB11-13) to address the important vulnerability (CVE-2011-2107), which also affects Flash Player 10.3.185.22 and earlier versions for Android. Hit the jump for more.

Outdated browser plugins pose a considerable security threat. According to a report published earlier this year by security and compliance management company Qualys, 80 percent of all browser vulnerabilities stem from outdated plugins. The company behind the browser security analysis tool BrowserCheck, Qualys has just ranked different browser plugins based on their affinity for remaining outdated.

Adobe kicked off the week with a security advisory warning users of its Flash Player about a zero-day bug that is reportedly “being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.” The vulnerability has also been confirmed to affect the auth.dll component that accompanies certain versions of Reader and Acrobat X, but the company has yet to come across any exploits targeting them.

Hit the jump to find out more about the vulnerability, including when exactly Adobe hopes to have it patched.

A security researcher, known only by his nom de guerre “Cupidon-3005,” disclosed a new zero-day bug in Windows Server Message Block (SMB) on Monday. Opting for full disclosure, the security researcher posted exploit code for the vulnerability that, according to Secunia, can be exploited “to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.” Hit the jump for Microsoft’s statement acknowledging the flaw.

Microsoft had a slight breather in September after it delivered a record 14 security bulletins on Patch Tuesday in August. The company was actually preserving its energy for an even more hectic Patch Tuesday in October, which, according to the Security Bulletin Advance Notification, will include 16 updates to patch 49 vulnerabilities – a new record. Out of the 16 security bulletins, four are labeled “critical,” ten “important,” and the remaining two “moderate.” Ten of the security updates address flaws that could allow remote code execution.

Microsoft today issued an out-of-band security update to tackle a bug in ASP.NET that is being exploited in the wild. Following a public report of the vulnerability, the Redmond outfit confirmed the bug in a Security Advisory (2416728) on September 17. MS, in its advisory, had expressed concerns that hackers could use the Windows Web server flaw to “view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config.”

"Based on our comprehensive monitoring of the threat landscape, we have determined an out-of-band release is needed to protect customers, as we have seen limited attacks and continued attempts to bypass current defenses and workarounds," the company told the IDG News Service.

The fix covers all supported Windows versions. The update is currently only available through the company's download center, and not through Windows Update, meaning that it can only be installed manually.

"This is the first time we've released [an] update this way, but due to the nature of the active attacks and the severity of the potential loss of data, we are releasing the security update to the Microsoft Download Center first so customers (specifically large enterprises, hosting providers and ISVs) can begin updating their systems.”